My wireless network has been based on a WLC2504 controller with two 2602 AP’s. The network has been running quite well, with of course the caveats that came with the different WLC releases. With the maturity of Mobility Express (ME), the need for a dedicated controller for such as small sized wireless network has basically become obsolete as one of the AP’s becomes the master controller in the network. I was able to acquire 2 1852 AP’s with ME, time to upgrade my wireless network to 802.11ac with ME.
Design considerations
Joep Remkes, a Cisco Systems Engineer, was kind enough to share the Cisco Mobility Express Quick Start Guide and explained to me what Mobility Express actually is. And the latter is actually key for the understanding. Because, in effect, a mini Wireless Lan Controller (mini WLC) is running as a virtual machine inside the AP code. And as it is a separate machine, it has a separate IP address and you manage it separately. And that is something you really need to keep in mind when deploying mobility express. Another thing that you need to be aware off is that FlexConnect is used for breakout, so yes, there is a CAPWAP tunnel, but not for client traffic. The figure below displays functionally how mobility express is essentially organised.

So in a mobility expres deployment, there is a master election (e.g. which AP in your network becomes your controller and manages the configuratoin). The diagram below describes the flow that an AP goes through when booting up.

Setting up a fresh ME deployment
Setting up a ME based deployment is really easy. Of course the Cisco guide is more extensively written, but for my deployment, I executed the following steps Create VLAN and DHCP scope As I run an external DHCP server (my IOS switch) and within a ME setup, you cannot use both external and internal DHCP server, I created a new AP-VLAN (221) and configured the DHCP scope on my core swiitch. There are no special DHCP options required for the discovery of the master AP on your network.
na-vur-c3560-1#config term na-vur-c3560-1(config-vlan)#vlan 221 na-vur-c3560-1(config)#name ap-net na-vur-c3560-1(config)#ip dhcp excluded-address 10.255.249.1 10.255.249.10 na-vur-c3560-1(config)#ip dhcp excluded-address 10.255.249.250 10.255.249.255 na-vur-c3560-1(config)#ip dhcp pool wireless-ap na-vur-c3560-1(dhcp-config)#network 10.255.249.0 255.255.255.0 na-vur-c3560-1(dhcp-config)#default-router 10.255.249.1 na-vur-c3560-1(dhcp-config)#dns-server 208.67.222.222 na-vur-c3560-1(dhcp-config)#end na-vur-c3560-1#
Configure interface for your master AP Once the VLAN and DHCP is configured, configure the switch with an SVI (layer 3 interface) and configure an interface where the AP will be connected on
na-vur-c3560-1(config)#interface vlan221 na-vur-c3560-1(config-if)#name ap-net na-vur-c3560-1(config-if)#ip add 10.255.249.1 255.255.255.0 na-vur-c3560-1(config-if)#no shut na-vur-c3560-1(config-if)#interface GigabitEthernet0/3 na-vur-c3560-1(config-if)#description ge0-0-1852-master na-vur-c3560-1(config-if)#switchport trunk encapsulation dot1q na-vur-c3560-1(config-if)#switchport mode trunk na-vur-c3560-1(config-if)#switchport trunk native vlan 221 na-vur-c3560-1(config-if)#end
If you use vlan’s, you have to use the native vlan for that network, so that the master AP gets an IP address in the proper network. I’ve added the configuation spanning-tree portfast trunk as STP blocking can have some delay for client onboarding. Bootup the master AP Now plugin the master AP and wait until the AP is booting. The AP master selection proces will be executed. Wait until you see the SSID “CiscoAirProvision” The SSID “CiscoAirProvision” is used by Cisco for over the air configuration. Use password “password” to connect to the network. You will get an internal ip-adress.Connect to SSID “CiscoAirProvission” and configure

Once you’re connected, start a browser and go to the site https://mobilityexpress.cisco/screens/day0-config.html or easier, http://192.168.1.1/ Run through the steps of the wizard (see screenshots below) and apply the values that are appropriate to your environment
Apply settings and test with the Master AP

Now apply the settings, wait until the AP is rebooted and connect to your network. Once connected, use your browser to check that you can connect to the IP address of the master AP controller. As you’ll see, the GUI is similar to the new WLC 8.2+ frontpage and is very recognisable.

Now configure other AP’s and switch interfaces Once the Master AP works, configure other PoE enabled ports on your switch for the other AP’s, plug them in and wait. After some time, the AP’s will join the master AP and your wireless network is setup! For this, I’ve used the same interface config as the master AP, except for the description.


Upgrading of a ME deployment is slightly different than your controller based deployment, that will be another blog post (soon)
10 Responses
Hello Pieter-Jan,
My name is David and I also live in the Netherlands :). Great to see your post about Cisco ME.
I am setting up a home lab just to experience Cisco ME, I have these 2 APs:
One AIR-AP1815i-E-K9 (AP Running Image:8.8.1.153), runing as the WLC, it is working. It was configured by the CLI Initial Configuration Wizard. I can log into its web GUI, its SSID “employee” is working. With controller IP address 192.168.128.100
One AIR-CAP2602I-E-K9 [Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Experimental Version 15.3(20150924:055549)], with AP IP address 192.168.128.13
The problem is that the 2602I failed to join the 1815i WLC
This is the logging from the 1815i WLC side:
*spamApTask0: Nov 20 16:32:52.535: %CAPWAP-3-JOIN_UNSUPP_AP: capwap_ac_sm.c:5165 The system has received a join request from an unsupported AP 5c:a4:8a:1e:c2:60 AP78da.6e8e.1259 (model AIR-CAP2602I-E-K), dropping the packet
*spamApTask0: Nov 20 16:32:52.204: %CAPWAP-3-DTLS_CLOSED_ERR: capwap_ac_sm.c:7238 5c:a4:8a:1e:c2:60: DTLS connection closed forAP 192:168:128:13 (57639), Controller: 192:168:128:100 (5246) Join Request Process Failed
This is the logging from the 2602I side:
Translating “CISCO-CAPWAP-CONTROLLER”…domain server (192.168.128.1)
*Nov 16 16:33:39.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.128.100 peer_port: 5246
*Nov 16 16:33:40.323: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.128.100 peer_port: 5246
*Nov 16 16:33:40.323: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.128.100
*Nov 16 16:33:40.327: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.128.100
*Nov 16 16:33:40.327: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.128.100:5246
I see you are also using 2602 APs with ME controller. My question is what did you do to enable the 2602 APs to join the ME controller? Are certain specific IOS releases are required on the 2602 APs (it seems the IOS release I have on my 2602 doesn’t support joining a ME controller)?
Thank you for your attention on this matter. Your reply would be greatly appreciated!
Kind regards,
David
Hello David,
You are running ME 8.8 code on the controller. This code does not support the 2602 AP’s. Starting with 8.7 and higher only 802.11AC Wave1 AP’s (x700 serie) are supported. I’m running ME off two 1852 AP’s. If you want to run the ME code with 2602’s as well, you need to have 8.5 code on your ME controller. You can check this out yourself at the wireless compatibility matrix at https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#pgfId-393660
Hi Pieter-Jan,
Thank you for your quick reply and the Cisco wireless compatibility matrix link.
They are very helpful!
Kind regards,
David
Hi Pieter,
Can you explain the section IP AP vs controller IP. In your post, we can configure the controller IP through web wizard (by connecting to 192.168.1.1). So, how can I configure the AP IP, is the IP for service clients like normal AP?.
Hello Mark,
The common deployment is to use DHCP for the AP IP address assignment. So every AP in your ME deployment is in the same subnet and gets the IP address from the dhcp server. IP Broadcasts are used to discover the controller, which is essentially a seperate vm on an AP.
Does this make it a bit more clear?
Dear Pieter-Jan,
I have a question about IP address of master AP.
1) For example, if master AP (with controller IP A.A.A.A) is down, so the new elected master AP (which have IP B.B.B.B when it is slave AP) get the A.A.A.A, right?.
2) When the old Master IP come back online. Is it a Slave or Master?. If it is a Slave (what IP it has, does it get new IP from DHCP ?). In case I want to it has a static IP (when it come back), how do I configure?
Hello Mark,
On 1), the AP that fullfills the controller role has two IP addresses, one for the AP code and one for the controller. If that AP fails, after election the new AP with the controller role will have two IP addresses, one for its own AP (remains the same) and the IP address for the controller. So effectively, the IP address for the controller code is moving with the controller role to the new AP.
2) When the old AP comes back, it will detect that there is already an AP with the controller role, so it will just join that controller. You can manually flip it to the original AP though.
In summary:
You configure a static IP address for the controller role for configuration and the AP’s will get a dynamic IP address from DHCP and use the IP broadcast to discover the controller role. That static IP moves with the controller code to whatever AP within the Mobility Express network is currently the master.
Pieter-Jan
Hi Pieter-Jan,
Thanks much, now I understand about controller role IP address and AP IP address.
But, I want to know that can I assign AP IP address statically to AP (by CLI) not by DHCP.
Yes, you can assign each AP an individual IP address, just as you can do with the other controller-based deployments. But it is not really recommended because of manageability.